Hello community,
here is the log from the commit of package util-linux-crypto
checked in at Tue May 8 20:10:47 CEST 2007.
--------
--- util-linux-crypto/util-linux-crypto.changes 2007-05-04 16:38:57.000000000 +0200
+++ /mounts/work_src_done/STABLE/util-linux-crypto/util-linux-crypto.changes 2007-05-08 15:20:17.450749000 +0200
@@ -1,0 +2,16 @@
+Tue May 8 15:16:41 CEST 2007 - lnussel@suse.de
+
+- boot.crypto: switch off splash screen only when needed
+- boot.crypto: report status for individual volumes instead of using one global
+ exit status
+- hashalot: exit unsucessfully on empty passphrase
+
+-------------------------------------------------------------------
+Tue May 8 10:43:24 CEST 2007 - lnussel@suse.de
+
+- boot.crypto: sleep a bit longer before overwriting the prompt
+- boot.crypto: add support for pseed and itercountk options
+- boot.crypto: skip entries with unsupported/unknown options
+- hashalot: add support for itercountk
+
+-------------------------------------------------------------------
New:
----
hashalot-ctrl-d.diff
hashalot-fixes.diff
hashalot-libgcrypt.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ util-linux-crypto.spec ++++++
--- /var/tmp/diff_new_pack.Sm5078/_old 2007-05-08 20:10:09.000000000 +0200
+++ /var/tmp/diff_new_pack.Sm5078/_new 2007-05-08 20:10:09.000000000 +0200
@@ -22,7 +22,7 @@
Group: System/Base
Autoreqprov: on
Version: 2.12r
-Release: 28
+Release: 31
Summary: A Collection of Basic File System Encryption Utilities
Source: cryptsetup-luks-%csver.tar.bz2
Source1: hashalot-%haver.tar.bz2
@@ -36,6 +36,9 @@
Source99: cryptsetup-mktar
Patch0: dmconvert-0.2-uninitialized.patch
Patch1: cryptsetup-luks-libnostderr.diff
+Patch10: hashalot-fixes.diff
+Patch11: hashalot-libgcrypt.diff
+Patch12: hashalot-ctrl-d.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Provides: aaa_base:/etc/init.d/boot.crypto
# we need losetup
@@ -74,6 +77,10 @@
%patch0
cd cryptsetup-luks-%csver
%patch1 -p1
+cd ..
+%patch10
+%patch11
+%patch12
%build
# cryptsetup build
@@ -89,6 +96,7 @@
cd ..
# hashalot build
cd hashalot-%haver
+autoreconf -f -i
%{?suse_update_config:%{suse_update_config}}
CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%_prefix --sbindir=/sbin --mandir=%_mandir
make
@@ -163,6 +171,16 @@
%{_libdir}/libcryptsetup.so
%changelog
+* Tue May 08 2007 - lnussel@suse.de
+- boot.crypto: switch off splash screen only when needed
+- boot.crypto: report status for individual volumes instead of using one global
+ exit status
+- hashalot: exit unsucessfully on empty passphrase
+* Tue May 08 2007 - lnussel@suse.de
+- boot.crypto: sleep a bit longer before overwriting the prompt
+- boot.crypto: add support for pseed and itercountk options
+- boot.crypto: skip entries with unsupported/unknown options
+- hashalot: add support for itercountk
* Fri May 04 2007 - lnussel@suse.de
- upgrade cryptsetup to current svn revision 30 which includes
previous patches.
++++++ boot.crypto ++++++
--- util-linux-crypto/boot.crypto 2007-05-02 09:35:52.000000000 +0200
+++ /mounts/work_src_done/STABLE/util-linux-crypto/boot.crypto 2007-05-08 14:48:36.000000000 +0200
@@ -53,14 +53,17 @@
fi
splash=""
+did_redirect=""
+otty=$(stty -g)
redirect ()
{
+ test -z "$did_redirect" || return 0
+ did_redirect=1
if test -e /proc/splash ; then
read splash < /proc/splash
echo verbose > /proc/splash
fi
- otty=$(stty -g)
- stty $otty < $REDIRECT
+ test -z "$otty" || stty "$otty" < $REDIRECT;
stty -nl -ixon ignbrk -brkint < $REDIRECT
if test -x /etc/init.d/kbd -a -n "$RUNLEVEL" ; then
/etc/init.d/kbd start
@@ -69,7 +72,8 @@
restore ()
{
- stty $otty < $REDIRECT;
+ test -n "$did_redirect" || return 0
+ test -z "$otty" || stty "$otty" < $REDIRECT;
[[ "$splash" =~ silent ]] && echo silent > /proc/splash
}
@@ -82,7 +86,7 @@
(
trap "exit 0" SIGTERM
trap "echo" SIGINT SIGSEGV
- usleep 10000
+ usleep 15000
while test $TIMEOUT -gt 0 ; do
# cursor to start of line, erase line, print prompt
echo -en "\r\e[2K${prmt}"
@@ -91,7 +95,7 @@
done
) & ppid=$!
else
- usleep 10000
+ usleep 15000
echo -en "\r${prmt}"
ppid=0
fi
@@ -223,18 +227,31 @@
return 0
}
+report()
+{
+ rc_failed "$1"
+ shift
+ echo -n "$*"
+ rc_status -v
+}
+
start_cryptotab ()
{
test -s $CRYPTOTAB || return 0
- local ret=0
local stat=0
+ local haveone=''
echo "Activating crypto devices using $CRYPTOTAB ... "
while read loopdev physdev access filesys crypto mopt info rest ; do
case "$loopdev" in
\#*|"") continue ;;
esac
+
+ haveone=1
+
+ redirect
+
# key length for cryptsetup
keylen=
ivgen='plain'
@@ -249,13 +266,11 @@
# Does the mount point exit?
#
if ! test -d $access ; then
- ret=1
- echo "$access doesn't exist, skipping"
+ report 5 "$physdev: $access doesn't exist"
continue
fi
if ! test -e $physdev ; then
- ret=1
- echo "$physdev doesn't exist, skipping"
+ report 5 "$physdev doesn't exist"
continue
fi
#
@@ -266,20 +281,18 @@
twofishSL92) keylen=256; ivgen='null' ;;
twofish[0-9]*) keylen=${crypto#twofish}; ;;
#TODO add more algorithm or better detection
- *) echo "${extd}${crypto}: unsupported algorithm${norm}"; continue ;;
+ *)
+ report 2 "$physdev: unsupported algorithm \"$crypto\""
+ continue
+ ;;
esac
cipher=twofish-cbc-$ivgen
- if test $? -ne 0; then
- ret=1
- continue
- fi
-
name="${loopdev#/dev/}"
name="cryptotab_${name//[^A-Za-z0-9]/_}"
if [ -e "/dev/mapper/$name" ]; then
- echo "Skipping mapped entry $name."
+ report 5 "$physdev: $name already mapped"
continue
fi
@@ -304,7 +317,10 @@
# we always use a loop device to avoid block size issues
# with e.g. cdroms for backward compatability
- losetup $loopdev $physdev || continue 2
+ if ! losetup $loopdev $physdev; then
+ report 1 "$physdev..."
+ continue 2
+ fi
params="-t $TIMEOUT -c $cipher -s $keylen -h $hashalgo"
@@ -315,6 +331,7 @@
if test "$stat" -ne 0; then
detachloopdev
+ report 1 "$physdev..."
continue 2
fi
@@ -334,12 +351,13 @@
#
if test $doskip -gt 0 ; then
/sbin/cryptsetup remove $name || true
+ report 5 "$physdev..."
detachloopdev
continue
fi
if ! run_fsck "$filesys" "$device" "$access" "$physdev"; then
- ret=1
+ report 1 "$physdev..."
continue
fi
@@ -348,20 +366,32 @@
esac
mount -t $filesys ${mopt:+-o $mopt} $device $access
- if test $? -gt 0 ; then
- ret=1
+ stat=$?
+ if test $stat -gt 0 ; then
+ stat=1
/sbin/cryptsetup remove $name || true
detachloopdev
fi
+ report $stat "$physdev..."
done < $CRYPTOTAB
- return $ret
+
+ if test -z "$haveone"; then
+ rc_failed 6
+ rc_status -v1
+ fi
+}
+
+hashalotcryptsetup()
+{
+ /sbin/hashalot ${halgo:+$halgo} ${pseed:+-s $pseed} ${itercountk:+-C $itercountk} | /sbin/cryptsetup "$@"
}
start_crypttab ()
{
test -s $CRYPTTAB || return 0
- local ret=0
+ local stat=0
+ local haveone=''
echo "Activating crypto devices using $CRYPTTAB ... "
while read name physdev keyfile options dummy; do
@@ -369,9 +399,12 @@
\#*|"") continue ;;
esac
+ haveone=1
+ redirect
+
# skip mapped entries
if test -e /dev/mapper/$name; then
- echo "Skipping mapped entry $name."
+ report 5 "$physdev: $name already mapped"
continue
fi
@@ -380,13 +413,11 @@
# make sure the keyfile exists
if test -n "$keyfile" -a ! -e "$keyfile"; then
- echo "$keyfile does not exist, skipping"
- ret=1
+ report 5 "$physdev: $keyfile does not exist"
continue
fi
if ! test -e $physdev ; then
- echo "$physdev doesn't exist, skipping"
- ret=1
+ report 5 "$physdev doesn't exist"
continue
fi
@@ -407,6 +438,8 @@
halgo=""
timeout=""
tries=""
+ pseed=""
+ itercountk=""
while test -n "$options"; do
arg=${options%%,*}
options=${options##$arg}
@@ -466,26 +499,30 @@
checkargs="$value"
fi
;;
+ pseed) pseed="$value" ;;
+ itercountk) itercountk="$value" ;;
noauto) noauto=yes ;;
- precheck|loud|ssl|gpg|keyscript)
+ precheck|loud|ssl|gpg|keyscript|*)
echo "unsupported crypttab option: '$param'"
+ skip='yes'
;;
- *) echo "unknown crypttab option: '$param'" ;;
esac
done
- if test -z "$luks"; then
- params="$params ${cipher:+-c $cipher} ${halgo:+-h $halgo} ${keysize:+-s $keysize}"
- elif test -n "$cipher" -o -n "$halgo" -o -n "$keysize"; then
- echo "cipher, hash and size options are ignored for LUKS"
+ if test -n "$luks"; then
+ if test -n "$cipher" -o -n "$halgo" -o -n "$keysize" -o -n "$pseed" -o -n "$itercountk"; then
+ echo "cipher, hash, size, pseed and itercountk options are ignored for LUKS"
+ fi
fi
-
- if test "$skip" = "yes" ; then
- ret=1
- continue
+ if test -n "$keyfile"; then
+ if test -n "$halgo" -o -n "$pseed" -o -n "$itercountk"; then
+ report 2 "${ext}hash, pseed and itercountk options are invalid when using a key file${norm}"
+ continue
+ fi
fi
- if test "$noauto" = 'yes'; then
+ if test "$skip" = "yes" -o "$noauto" = "yes" ; then
+ report 5 "$physdev"
continue
fi
@@ -518,8 +555,7 @@
done
if test -z "$loopdev"; then
- echo "Failed to find usable loop device"
- ret=1
+ report 1 "$physdev: failed to find a usable loop device"
continue
fi
fi
@@ -543,15 +579,24 @@
/sbin/cryptsetup $params ${keyfile:+-d $keyfile} luksOpen "$device" "$name" < $REDIRECT &> $REDIRECT
stat=$?
else
- /sbin/cryptsetup $params ${keyfile:+-d $keyfile} create "$name" "$device" < $REDIRECT &> $REDIRECT
+ # XXX hack
+ if test -n "$pseed" -o -n "$itercountk"; then
+ params="$params -d /dev/stdin" # cannot use "-" as cryptsetup would hash that
+ cryptsetup=hashalotcryptsetup
+ else
+ cryptsetup=/sbin/cryptsetup
+ fi
+ params="$params ${cipher:+-c $cipher} ${halgo:+-h $halgo} ${keysize:+-s $keysize}"
+ $cryptsetup $params ${keyfile:+-d $keyfile} create "$name" "$device" < $REDIRECT &> $REDIRECT
stat=$?
+ unset cryptsetup
fi
if test -z "$keyfile"; then
unsetprompt
fi
if test $stat -ne 0; then
- ret=1
+ report 1 "$physdev... "
doskip=1
detachloopdev
break
@@ -561,7 +606,7 @@
if test -n "$check"; then
$check "/dev/mapper/$name" $checkargs
if test $? -ne 0; then
- ret=1
+ report 1 "$physdev... "
doskip=1
/sbin/cryptsetup remove $name
detachloopdev
@@ -586,8 +631,7 @@
/sbin/mkfs -t "$fs_type" /dev/mapper/$name
if test $? -ne 0; then
- echo "Failed to create temporary file system."
- ret=1
+ report 1 "$phsdev: failed to create temporary file system."
doskip=1
/sbin/cryptsetup remove $name
detachloopdev
@@ -607,6 +651,7 @@
if test "$stat" = 1; then # retype passphrase
continue
elif test "$stat" = 2; then # skip entry
+ report 5 "$physdev..."
doskip=1
fi
fi
@@ -626,25 +671,27 @@
# run mkswap if necessary. boot.swap with enable this later
if test "$makeswap" = "yes"; then
mkswap "/dev/mapper/$name"
- if test $? -ne 0; then
- ret=1
- fi
+ stat="$?"
+ test $stat -eq 0 || stat=1
+ report $stat "$physdev..."
continue
fi
if test -z "$infstab"; then
+ report 0 "$physdev..."
continue
fi
if ! run_fsck "$fs_type" "/dev/mapper/$name" "$mp" "$physdev"; then
- ret=1
+ report 1 "$physdev..."
continue
fi
mount /dev/mapper/$name
+ stat="$?"
- if test $? -gt 0 ; then
- ret=1
+ if test $stat -gt 0 ; then
+ stat=1
/sbin/cryptsetup remove $name || true
detachloopdev
fi
@@ -654,9 +701,13 @@
chmod 1777 $mountpoint
fi
- done < $CRYPTTAB
+ report $stat "$physdev..."
- return $ret
+ done < $CRYPTTAB
+ if test -z "$haveone"; then
+ rc_failed 6
+ rc_status -v1
+ fi
}
umount_or_swapoff()
@@ -682,8 +733,6 @@
{
test -s $CRYPTOTAB || return 0
- local ret=0
-
echo "Turning off crypto devices using $CRYPTOTAB ... "
while read loopdev physdev access filesys crypto mopt rest ; do
case "$loopdev" in
@@ -696,27 +745,26 @@
if test -b "/dev/mapper/$name"; then
if ! umount_or_swapoff; then
- ret=1
+ rc_failed 1
continue
fi
- cryptsetup remove "$name" || ret=1
+ cryptsetup remove "$name" || rc_failed 1
fi
if losetup $loopdev >/dev/null 2>&1; then
- losetup -d $loopdev || ret=1
+ losetup -d $loopdev || rc_failed 1
fi
done < <(reverse < $CRYPTOTAB)
- return $ret
+
+ rc_status -v1
}
stop_crypttab ()
{
test -s $CRYPTTAB || return 0
- local ret=0
-
echo "Turning off crypto devices using $CRYPTTAB ... "
while read name device keyfile options dummy; do
case "$name" in
@@ -727,11 +775,11 @@
if test -b "/dev/mapper/$name"; then
if ! umount_or_swapoff; then
- ret=1
+ rc_failed 1
continue
fi
- /sbin/cryptsetup remove "$name" || ret=1
+ /sbin/cryptsetup remove "$name" || rc_failed 1
fi
# delete the loop device
@@ -744,11 +792,12 @@
fi
if test -n "$loopdev" && losetup $device >/dev/null 2>&1; then
- /sbin/losetup -d $device || ret=1
+ /sbin/losetup -d $device || rc_failed 1
fi
done < <(reverse < $CRYPTTAB)
- return $ret
+
+ rc_status -v1
}
#
@@ -819,31 +868,21 @@
rc_exit
fi
- redirect
-
start_cryptotab
- rc_status
-
start_crypttab
- rc_status
- rc_status
- test $? -gt 0 && rc_failed 1 || true
- rc_status -v1
+ rc_failed 0
+
restore
cutomize_start_hook
;;
stop)
stop_cryptotab
- rc_status
stop_crypttab
- rc_status
- rc_status
- test $? -gt 0 && rc_failed 1 || true
- rc_status -v1
+ rc_failed 0
cutomize_stop_hook
;;
++++++ crypttab.5 ++++++
--- util-linux-crypto/crypttab.5 2007-04-27 15:12:08.000000000 +0200
+++ /mounts/work_src_done/STABLE/util-linux-crypto/crypttab.5 2007-05-08 15:16:33.000000000 +0200
@@ -1,11 +1,11 @@
.\" Title: crypttab
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 http://docbook.sf.net/
-.\" Date: 04/27/2007
+.\" Date: 05/08/2007
.\" Manual:
.\" Source:
.\"
-.TH "CRYPTTAB" "5" "04/27/2007" "" ""
+.TH "CRYPTTAB" "5" "05/08/2007" "" ""
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -152,7 +152,17 @@
.PP
\fBnoauto\fR
.RS 4
-causes boot.crypto to skip this record during boot
+Causes boot.crypto to skip this record during boot
+.RE
+.PP
+\fBpseed=<string>\fR
+.RS 4
+Set a string that is appended to the passphrase after hashing. Using different seeds for volumes with the same passphrase makes dictionary attacks harder. Use for compatability with loop\-AES.
+.RE
+.PP
+\fBitercountk=<num>\fR
+.RS 4
+Encrypts the hashed password <num> times using AES\-256. Use for compatability with loop\-AES.
.RE
.PP
\fBloud\fR, \fBssl\fR, \fBgpg\fR, \fBkeyscript\fR
++++++ crypttab.5.txt ++++++
--- util-linux-crypto/crypttab.5.txt 2007-04-27 15:12:02.000000000 +0200
+++ /mounts/work_src_done/STABLE/util-linux-crypto/crypttab.5.txt 2007-05-08 15:16:25.000000000 +0200
@@ -112,7 +112,16 @@
of the contained file system. E.g. ext2 on a CD.
*noauto*::
-causes boot.crypto to skip this record during boot
+Causes boot.crypto to skip this record during boot
+
+*pseed=<string>*::
+Set a string that is appended to the passphrase after hashing.
+Using different seeds for volumes with the same passphrase makes
+dictionary attacks harder. Use for compatability with loop-AES.
+
+*itercountk=<num>*::
+Encrypts the hashed password <num> times using AES-256. Use for
+compatability with loop-AES.
*loud*, *ssl*, *gpg*, *keyscript*::
not supported. Listed here as they are supported by Debian.
++++++ dmconvert-0.2-uninitialized.patch ++++++
--- /var/tmp/diff_new_pack.Sm5078/_old 2007-05-08 20:10:09.000000000 +0200
+++ /var/tmp/diff_new_pack.Sm5078/_new 2007-05-08 20:10:09.000000000 +0200
@@ -1,6 +1,8 @@
---- dmconvert-0.2/src/dmconvert.c
+Index: dmconvert-0.2/src/dmconvert.c
+===================================================================
+--- dmconvert-0.2/src/dmconvert.c.orig
+++ dmconvert-0.2/src/dmconvert.c
-@@ -33,7 +33,7 @@
+@@ -33,7 +33,7 @@ int main(int argc, char **argv)
const char *source = NULL;
const char *dest = NULL;
const char *arg;
++++++ hashalot-ctrl-d.diff ++++++
exit unsucessfully on empty passphrase
Signed-off-by: Ludwig Nussel